Tutorials:CreateCertAuth: Difference between revisions
From Adapt
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
__NOTOC__ | |||
==Setting up CA and certificates== | ==Setting up CA and certificates== | ||
Latest revision as of 23:15, 11 September 2008
Setting up CA and certificates
Create CA Directories
This example assumes ~/ssl will contain all certificates and private keys. You should probably delete client keys after creation and distribution of the pkcs12 keystore. If you want to create new clients, just go to the creating client section down below. If you need a keystore w/ additional certificates in it. You should create your own pem files w/ all required certs.
The CA below has been copied into naraapp:~naraapp/ssl , w/ the cacart using the same password as the account. Client and producer keystores are also in the directory w/ passwords client and producer respectively.
[toaster@loach ~/ssl]$ mkdir ssl [toaster@loach ~/ssl]$ cd ssl [toaster@loach ~/ssl]$ touch index.txt [toaster@loach ~/ssl]$ echo 100001 > serial
Download the openssl.cnf listed below and put it in this directory
Create CA Certificate
[toaster@loach ~/ssl]$ openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf Generating a 1024 bit RSA private key ....................................++++++ ...........++++++ writing new private key to 'private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Maryland]: Locality Name (eg, city) [College Park]: Organization Name (eg, company) [UMIACS]: Organizational Unit Name (eg, section) []:ADAPT CA Common Name (eg, your name or your server's hostname) []:Adapt Project CA Email Address []:toaster@umiacs.umd.edu
Create Producer keystore
Generate producer pub/priv key
[toaster@loach ~/ssl]$ openssl req -new -nodes -out producer-req.pem -keyout private/producer-key.pem -days 365 -config ./openssl.cnf Generating a 1024 bit RSA private key .....................................++++++ .........................++++++ writing new private key to 'private/producer-key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Maryland]: Locality Name (eg, city) [College Park]: Organization Name (eg, company) [UMIACS]: Organizational Unit Name (eg, section) []:PAWN Producer Common Name (eg, your name or your server's hostname) []:Pawn Producer Email Address []:toaster@umiacs.umd.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Now it's time to sign the certificate
[toaster@loach ~/ssl]$ openssl ca -out producer-cert.pem -days 365 -config ./openssl.cnf -infiles producer-req.pem
Using configuration from ./openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1048577 (0x100001)
Validity
Not Before: Jul 21 21:19:32 2005 GMT
Not After : Jul 21 21:19:32 2006 GMT
Subject:
countryName = US
stateOrProvinceName = Maryland
organizationName = UMIACS
organizationalUnitName = PAWN Producer
commonName = Pawn Producer
emailAddress = toaster@umiacs.umd.edu
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7A:20:C4:91:8A:67:F4:21:A5:8F:8D:B8:92:BE:02:61:34:4F:02:02
X509v3 Authority Key Identifier:
keyid:1B:99:B9:92:09:0E:37:68:36:1B:67:7C:4D:27:3F:39:2B:79:84:95
DirName:/C=US/ST=Maryland/L=College Park/O=UMIACS/OU=ADAPT CA/CN=Ada
pt Project CA/emailAddress=toaster@umiacs.umd.edu
serial:00
Certificate is to be certified until Jul 21 21:19:32 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Create the producer's keystore. Due to java's requirements that all items in a keystore have names (trusted certs...) We label the CA certificate cacert, and the producer's certificate producer. You can change this on the server if you want to use other alias names.
[toaster@loach ~/ssl]$ openssl pkcs12 -export -in producer-cert.pem -inkey private/producer-key.pem \ -certfile cacert.pem -caname cacert -name "producer" -out producer.p12 Enter Export Password: Verifying - Enter Export Password:
Next, we create a cert file that has both the ca and producer certificates. This is used when generating client keystores
[toaster@loach ~/ssl]$ cp cacert.pem ca-producer.pem [toaster@loach ~/ssl]$ cat newcerts/producer.pem >> ca-producer.pem
Create Client keystores
Client keystore's are almost identical, except they contain an extra certificate for the producer they are connected to. This allows the client to verify the authenticity of generated SAML certificated to prevent man-in-the-middle attacks.
[toaster@loach ~/ssl]$ openssl req -new -nodes -out client-req.pem -keyout private/client-key.pem -days 365 -config ./openssl.cnf Generating a 1024 bit RSA private key ......................++++++ ..................++++++ writing new private key to 'private/client-key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Maryland]: Locality Name (eg, city) [College Park]: Organization Name (eg, company) [UMIACS]: Organizational Unit Name (eg, section) []:PAWN Client Common Name (eg, your name or your server's hostname) []:Pawn Client Email Address []:toaster@umiacs.umd.edu Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Now sign it.
[toaster@loach ~/ssl]$ openssl ca -out client-cert.pem -days 365 -config ./openssl.cnf -infiles client-req.pem
Using configuration from ./openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1048578 (0x100002)
Validity
Not Before: Jul 21 21:25:50 2005 GMT
Not After : Jul 21 21:25:50 2006 GMT
Subject:
countryName = US
stateOrProvinceName = Maryland
organizationName = UMIACS
organizationalUnitName = PAWN Client
commonName = Pawn Client
emailAddress = toaster@umiacs.umd.edu
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6C:10:B8:0D:08:72:63:15:29:69:B9:2F:9C:CB:C2:50:DF:C4:F7:D0
X509v3 Authority Key Identifier:
keyid:1B:99:B9:92:09:0E:37:68:36:1B:67:7C:4D:27:3F:39:2B:79:84:95
DirName:/C=US/ST=Maryland/L=College Park/O=UMIACS/OU=ADAPT CA/CN=Adapt Project CA/emailAddress=toaster@umiacs.umd.edu
serial:00
Certificate is to be certified until Jul 21 21:25:50 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Build the keystore w/ ca and producer's certs in addition to local keys
[toaster@loach ~/ssl]$ openssl pkcs12 -export -in client-cert.pem -inkey private/client-key.pem -certfile ca-producer.pem \ -caname cacert -caname producer -name "client" -out client.p12 Enter Export Password: Verifying - Enter Export Password:
-- Main.MikeSmorul - 21 Jul 2005
